AKS with Kubernetes Service Connection returns "Could not find any secrets associated with the Service Account." error in Azure Pipelines

Jimmy Lindsey 41 Reputation points

Hey everyone,

I have been following the "Automate multi-container Kubernetes deployments with Azure Pipelines" module here, I am getting a rather strange error that doesn't seem to be mentioned much on the internet. I do want to note first of all that I did have to change one thing about this setup process - namely the command to create the AKS instance. The one in the module gave me a error. Looking around resulted in me constructing this command that seems to work well - however if this is what is causing my problem please let me know:

az aks create \
--name $aksName \
--resource-group $rgName \
--enable-addons monitoring \
--kubernetes-version $aksVersion \
--generate-ssh-keys \
--node-vm-size standard_ds2 \
--node-count 2

Anyway, the AKS instance seems to be healthy, but when I go to create the Kubernetes Service Connection or the Spike environment, I get a "Could not find any secrets associated with the Service Account". I have tried recreating everything from scratch (deleting the resource-group and creating it whole again), but that doesn't seem to work. I have also researched to see if anyone else has had this issue, but most of the people talk about this error are using the Service Account option for creating the connection, whereas I am using the Azure Subscription option. The sole exception seems to be an some problems people were having with AKS for version 1.23 (and possibly 1.24.4), whereas my AKS instance is version 1.24.6. If anyone could give me any help, I would greatly appreciate it. I have a few ideas that I will try to work on in the meantime - I know Azure has the key vault and other ways to store secrets and service principles. Even though creating those things weren't a part of the module, maybe that is what I need to do.



Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,941 questions
{count} votes

Accepted answer
  1. KarishmaTiwari-MSFT 18,667 Reputation points Microsoft Employee

    UPDATE 4/19:

    Since a lot of customers are facing this issue, I got the latest update from the product team on this:

    1. Fix is tentatively expected for mid/late May.
    2. Blog on Short-term mitigation here: https://devblogs.microsoft.com/devops/service-connection-guidance-for-aks-customers-using-kubernetes-tasks/

    When creating Kubernetes service connection using Azure Subscription as the authentication method, it fails with error: Could not find any secrets associated with the Service Account.

    Unfortunately, there was a change to the AKS version 1.24.x that no longer automatically generates the associated secret for service account. The change was done on the AKS part, but not on the Azure DevOps side. The product team is currently investigating this issue.
    The change log for AKS 1.4.x version says -
    The LegacyServiceAccountTokenNoAutoGeneration feature gate is beta, and enabled by default. When enabled, Secret API objects containing service account tokens are no longer auto-generated for every ServiceAccount. Use the TokenRequest API to acquire service account tokens, or if a non-expiring token is required, create a Secret API object for the token controller to populate with a service account token by following this guide.

    Work done:
    There is an internal work item open with the Product team to resolve this. There is no ETA that can be shared at this point but it is in progress.

    For the time being, the easiest fix is to use one of the other two options to configure the Service Connection, KubeConfig or Service Account. You can find both the options explained step-by-step on this Developer Community ticket: New Kubernetes service connection causes an error Could not find any secrets associated with the Service Account. or you can follow the steps required when you attempt to configure a KubeConfig/Service Account Kubernetes Service Connection as explained in the public documentation here: Service connections in Azure Pipelines - Azure Pipelines | Microsoft Learn.

    Downgrading to 1.23. version is another option. However, I highly recommend one of these two options (i.e. KubeConfig or Service Account) for the time being and not being stuck for a longer period. There is no estimated time when the Subscription option will be available again. However, Microsoft is working on fixing the situation as they are currently actively investigating the best option to resolve this.

    Additional resources to go through on the same issue:


    If this answers your query, do click “Accept the answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread.
    And, if you have any further query, do let us know in the comments and I would be happy to investigate further.

    5 people found this answer helpful.

8 additional answers

Sort by: Most helpful
  1. Antonio 15 Reputation points

    Hello. This very same month Azure has deprecated AKS versions bellow 1.24, so you are forced to upgrade at least to 1.24 to keep your AKS support. Currently I am unable to add kubernetes resources to my Azure Devops environments and now I see this is has been reported like 6 months ago... is there any ETA for a fix?

    3 people found this answer helpful.
    0 comments No comments

  2. prashanth destroyer 25 Reputation points

    If any of the above solutions didn't worked, try this. Go to Projects >> Project settings >> Service connections >> New service connection >> Kubernetes >> select the authentication method as KubeConfig and for the KubeConfig file, Open AKS in azure portal

    1. Open cloud shell or the Azure CLI
    2. Run the following commands “az account set --subscription {subscription ID}” “az aks get-credentials --resource-group {resource group name} --name {AKS-name} --admin” you will get a path to the kubeconfig file cat /home/********/.kube/config copy everything and paste in azure devops kubernetes service connection. Click on Accept untrusted certificates and Grant access permission to all pipelines. Give a service connection name and click verify.
    1 person found this answer helpful.

  3. Abimael Gonzalez Luna 5 Reputation points

    When I configure a pipeline, make a loop and aks for service account again. Workarounds doesn't work well, this is horrible after upgrade 1.24. MS is developing new version, to fix this? i tried to upgrade the latest version at this month is 1.26, figure out same situation.

    1 person found this answer helpful.
    0 comments No comments

  4. Biju Thomas 0 Reputation points

    Please choose "KubeConfig" instead of "Azure Subscription" and copy all contents from "/root/.kube/config" file and paste in the "KubeConfig" box. Fill the remaining details and click "verify and save" button.